Although there were no reported incidents of death of American patients as a direct consequence of a ransomware attack, new research indicates an increase in patient mortality after a ransomware attack on a healthcare company. Based on a new survey performed by the Ponemon Institute, over one-fifth (22%) of healthcare companies stated patient mortality went up after a ransomware attack.
Ransomware attacks on healthcare companies frequently cause a shutdown of IT systems, a disruption of telephone and voicemail systems, rerouting of emergency patients to other facilities, and cancellation of scheduled appointments. The recovery process could take a few weeks, and services are disrupted during that time.
Although some ransomware groups have a rule of not targeting healthcare providers, a lot of ransomware operations still attack healthcare providers. For example, 20% of the ransomware operation of Vice Society targets the healthcare sector and still increasing. In the last 2 years, 43% of survey participants mentioned their company had encountered a ransomware attack, and 67% of them said they had one attack whereas 33% reported having more than one.
This Censinet-sponsored research conducted a survey involving 597 healthcare companies such as community hospitals, integrated delivery networks, and regional health systems. In 2021, the costs of ransomware attacks had increased to $9.23 million per incident on average. The Censinet research sought to find out if these attacks resulted in an adverse effect on patient safety. It also sought to know how COVID-19 has affected the capability of healthcare companies to continue patient care and secure patient data from ransomware attacks.
COVID-19 brought in a lot of new risk factors, for example, growth in remote working and innovative IT systems to serve those employees. Patient care demands grew, and COVID-19 prompted personnel shortages. The survey affirmed that COVID-19 has impacted the capability of healthcare companies to protect against ransomware attacks and other more harmful cyberattacks. Before COVID-19, 55% of healthcare providers stated they weren’t certain they could abate the risks of ransomware, as opposed to today, 61% of healthcare providers stated they aren’t convinced or have no trust in their capability to abate the risks of ransomware.
These attacks were seen to be adversely impacting patient safety. 71% of survey participants said ransomware attacks contributed to a longer stay in hospitals and 70% stated delays in diagnostic tests and clinical procedures because of ransomware attacks caused poor patient care. Subsequent to an attack, 65% of survey participants stated there were more patients being taken to other facilities, 36% stated they encountered more problems from medical processes, and 22% stated they had a higher mortality rate following an attack.
Another contributor to a greater risk of a ransomware attack is the increased dependence on business associates for digitizing and sending healthcare data and providing medical devices. The respondents explained they deal with 1,950 third parties and it is likely to increase by 30% in the following 12 months to 2,541 on average.
Ransomware groups and other cybercriminal gangs are targeting business associates of healthcare companies because of their poor cybersecurity. And one cyberattack on a business associate can allow access to the systems of several healthcare clients.
Working with third parties has a greater risk because healthcare organizations do not always perform the needed risk assessment of third parties before getting into a contract. Even if risk assessments are performed, many leaders ignore those risk assessments. As soon as contracts are signed, more than half (53%) of survey participants stated they had no schedule for regular risk assessments or these were only done on demand.
Censinet advises making a listing of all vendors and PHI. Systems and information can only be secured when accurate listings are kept. Workflow automation tools are helpful for creating a digital listing of all third parties and PHI files. These tools must likewise be utilized for making a listing of medical devices. It is important to keep medical devices secure because they can be used as an entry point into healthcare systems. Just 36% of survey respondents said their company knew the location of all medical devices, and just 35% stated they know which devices are nearing their end-of-life and won’t be supported.
The report advises performing a complete risk assessment of a vendor before getting into a contract, and then performing regular risk assessments after that and making sure action is taken to deal with any problems identified. More investment in cybersecurity is needed particularly to cover re-examination of high-risk third parties, as presently, just 32% of critical and high-risk third parties are evaluated yearly, and only 27% are re-evaluated yearly.
The report additionally highly recommends setting risk accountability and ownership to one function, which is going to help to make sure an efficient enterprise-risk management technique could be followed and maintained.
